FYI, Spamsieve catches such Base64 messages.
On or near 1/6/03 9:37 AM, Peter C.S. Adams at [EMAIL PROTECTED] observed: > Thus spake Barry Wainwright <[EMAIL PROTECTED]>, circa 1/5/2003 2:06 PM: >> There are some rules that do work in spite of the spammers changing emails >> all the time. Most effective of all my spam rules is the one that looks for >> five consecutive spaces in the subject line. > > I have a similar test in a rule that FLAGS spam but does not delete it. That > one's a little too general for me to risk losing a real message. > > Lately I've been seeing spam that passes through all my criteria and has an > odd characteristic: looking at the source, you see that the body of the > message is Base 64 encoded HTML! Apparently, Entourage decodes the Base 64 > and displays it. So I have devised a new rule with the following three > tests. If all three are met, the message is flagged. (Once I'm happy with > the results, I'll change the rule to delete the messages unseen.) > > 1. Attachment does not exist. > 2. Any header contains "text/html" > 3. Any header contains "base64" > > I am assuming that no legitimate message will ever contain Base 64 encoded > HTML (why should it?) and that any legitimate Base 64 would be in an > attachment (so in theory I could do away with test #2). > > For these reasons, I do not believe Entourage should decode Base 64 unless > the message is (a) marked as multipart and (b) the encoded item is sent as > an attachment with a name (e.g. image002.jpg). Can this behavior be changed > in a future SR? > > peter > -- Microsoft MVP for Entourage/OE/Word (MVPs are volunteers) Allen Watson <[EMAIL PROTECTED]> Entourage FAQ site: <http://www.entourage.mvps.org/> AppleScripts for Outlook Express and Entourage: <http:[EMAIL PROTECTED]/Scripts/> Entourage Help Pages: <http://www.entourage.mvps.org/> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> archives: <http://www.mail-archive.com/entourage-talk%40lists.letterrip.com/> old-archive: <http://www.mail-archive.com/entourage-talk%40lists.boingo.com/>
